Public bug reported: It seems that cloud-init inherited from Fedora the inclusion of "ssh_deletekeys: 0" in cloud.cfg.tmpl (commit 41d46bfb85). This is risky in orchestration environments where an instance might be used as a master or template, and cloned from without other tools removing SSH host keys. We believe that line should be removed from cloud.cfg.tmpl to reduce the risk of it being used in such environments.
CVE-2018-10896 has been assigned [1]. On the Fedora bug [2] we are looking into history. 1: https://access.redhat.com/security/cve/cve-2018-10896 2: https://bugzilla.redhat.com/show_bug.cgi?id=1598832 ** Affects: cloud-init Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to cloud-init. https://bugs.launchpad.net/bugs/1781094 Title: cloud.cfg.tmp should not include "ssh_deletekeys: 0" Status in cloud-init: New Bug description: It seems that cloud-init inherited from Fedora the inclusion of "ssh_deletekeys: 0" in cloud.cfg.tmpl (commit 41d46bfb85). This is risky in orchestration environments where an instance might be used as a master or template, and cloned from without other tools removing SSH host keys. We believe that line should be removed from cloud.cfg.tmpl to reduce the risk of it being used in such environments. CVE-2018-10896 has been assigned [1]. On the Fedora bug [2] we are looking into history. 1: https://access.redhat.com/security/cve/cve-2018-10896 2: https://bugzilla.redhat.com/show_bug.cgi?id=1598832 To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1781094/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
